ClawHub

vaDocparse

Security checks across malware telemetry and agentic risk

Overview

This document-parsing skill mostly does what it claims, but it can upload local documents to a remote service and persist configuration or API keys with insufficient user-facing controls.

Install only if you trust the configured document-parsing MCP service and are comfortable sending selected PDFs/images to it. Use your own reviewed endpoint, avoid the bundled .env defaults, do not process confidential documents without approval, store the API key through safer secret handling where possible, and pin or review dependency versions before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup script can install Python packages via pip, which is a privileged software-modification action beyond document parsing itself. In a skill ecosystem, auto-installing dependencies increases supply-chain risk because executing setup fetches and installs code from external package sources on the host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads and rewrites ~/.openclaw/openclaw.json, modifying global agent configuration outside the skill directory. That exceeds the narrow document-parsing function and creates persistence by registering the skill's MCP server into the host application's trusted config.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The installer prompts for an API key and persists it in plaintext in both .env and injected config. Storing secrets unencrypted on disk broadens exposure to local compromise, accidental leakage, and backup/log disclosure, especially for a skill whose stated purpose is only document parsing.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description uses broad everyday terms like '阅读/识别/读取' and 'extract text from documents,' which can match many benign requests and cause the skill to activate unexpectedly. In this skill's context, unintended activation is more dangerous because activation may lead to local file handling and remote transmission of document contents without a clear, specific user intent for third-party processing.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The markdown activation section repeats broad, ambiguous conditions for invocation, increasing the chance of accidental triggering. Because this skill sends files to a remote parser, ambiguous activation can turn ordinary document-related conversations into unintended data disclosure events.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description says it parses documents via a remote service but does not clearly warn users that document contents may be transmitted off-host to an external MCP service. This is a material privacy and security omission, especially for potentially sensitive PDFs and images, because users may assume local-only processing.

Missing User Warnings

High
Confidence
95% confidence
Finding
The usage instructions focus on setup and operation but omit a user-facing warning about privacy implications and system impact of remote document processing. In context, this is especially risky because the skill is intended for OCR and document extraction, which commonly involve confidential records, and the remote processing is central to the skill's function.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code base64-encodes the entire input document and sends it to a remote MCP service, which can expose sensitive document contents to an external system. In a document-parsing skill, this behavior is expected functionally, but the lack of explicit disclosure, consent, or trust boundaries creates a real privacy and data-handling risk, especially for confidential files.

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastmcp>=3.0.0
mcp>=1.0.0
Confidence
94% confidence
Finding
fastmcp>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastmcp>=3.0.0
mcp>=1.0.0
Confidence
94% confidence
Finding
mcp>=1.0.0

Known Vulnerable Dependency: fastmcp — 8 advisory(ies): CVE-2025-69196 (FastMCP OAuth Proxy token reuse across MCP servers); GHSA-c2jp-c369-7pvx (FastMCP Auth Integration Allows for Confused Deputy Account Takeover); CVE-2025-64340 (FastMCP has a Command Injection vulnerability - Gemini CLI) +5 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
fastmcp

Known Vulnerable Dependency: mcp — 3 advisory(ies): CVE-2025-53366 (MCP Python SDK vulnerability in the FastMCP Server causes validation error, lead); CVE-2025-66416 (Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection); CVE-2025-53365 (MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to )

High
Category
Supply Chain
Confidence
97% confidence
Finding
mcp

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal